Breaking Out of the Vicious Cycle of Ransomware Attacks
Ransomware has quickly become one of the most prevalent cyber threats facing organizations today. Unfortunately, the cybercriminal community has latched onto this attack method because infections can quickly cause devastating damage to the victim, and strikes are incredibly easy to launch at scale.
The best way to ensure that your organization does not fall victim to a ransomware attack is to understand what happens when an attacker injects this type of malware into a system.
Why Ransomware?
Ransomware has quickly become one of the most prevalent cyber threats facing organizations today. Unfortunately, the cybercriminal community has latched onto this attack method because infections can quickly cause devastating damage to the victim, and strikes are incredibly easy to launch at scale.
More than 300 million cyberattacks were recorded in 2020 – or more than 8,000 a day. This staggering figure represents a 64% increase over the previous year, and there is no reason to believe this will change. Even if most victims recover from an attack without paying the ransom, the threat actors can still count on a payday from the minority that are forced to pay.
With so many attacks taking place, the odds are that every organization in the world will be targeted multiple times. And being hit by ransomware isn't always a one-off strike. The unfortunate truth is that once an attacker discovers a business is weak, the gang will likely strike again.
Breaking the Ransomware Attack Cycle
To stop an attack, one must understand how a ransomware attack works. Ransomware is a formidable threat because it's relatively easy to deliver, with most attacks using the same handful of vectors.
One favored vector is through an unpatched software vulnerability, particularly one that is associated with externally facing infrastructure such as a VPN.
Secondly, hijacking user credentials is a common practice as people tend to do a poor job of choosing a strong or random password. These weak passwords may be brute forced with automated tools, or attackers may just steal them via a phishing attack. Threat actors also deliver ransomware through malicious files attached to an email.
Making matters worse, attackers have adapted their email technique to evade signature-based email security solutions by hiding their malware code with macros or exploiting filesharing tools like SharePoint.
RESEARCH REPORT
2021 Email Threat Report
Email remains a security problem for organizations. Cybercriminals continue to favor email to distribute malware, phishing scams, and spam because email gets delivered to the end user, wanted or not, and email can be easily faked to appear legitimate.
The Trustwave 2021 Email Threat Report, featuring data and analysis from the SpiderLabs Email Security Research and Malware Analysis Team, details some of the most significant email threats organizations face, and provides insight on the tricks and techniques cybercriminals are using to snare their victims.
What Happens Once the Ransomware is Inside a Network?
Most ransomware we encounter today is coded with instructions so it will automatically begin functioning once it is placed within a network and activated. The malware starts by scoping out options for gaining more network privileges. Once the malware has gained a higher level of access, the ransomware will begin moving laterally through the system and start wreaking havoc. Unfortunately, most organizations still do a poor job segmenting their networks or keeping credentials for privileged accounts such as administrators safe, so the ransomware typically has an easy job escalating its privileges and gaining additional access.
Many ransomware variants prioritize finding assets that contain large amounts of data, such as SQL databases and CSB files, as these will likely cause the most significant disruption for the victim. More sophisticated threat actors may also take direct control of escalation and lateral movement. They then have the ability to wait and trigger the attack only when the most valuable data and systems is accessed.
The First Sign of a Ransomware Attack
For many victims, the first sign that ransomware attackers have struck is when they find their files locked down or receive a ransom demand.
A ransomware outbreak will have three major areas of impact for the target.
The first and most obvious impact is the organization will have its critical files and systems locked down. If left unchecked, the infection can spread, possibly encrypting all the company’s assets, including the data in its cloud environments.
To make matters worse, attackers have designed some ransomware variants to prioritize discovering and locking down backups, thus denying the victim an easy route to restore their system to its pre-infected state. So, if the victim has not segmented its network, the ransomware can discover and encrypt backups both on-premises and in the cloud.
Finally, attackers have added a new element to their attack, coupling encryption with exfiltration. The malware will copy any valuable or sensitive assets found and send this data to the attacker's command and control server. This technique ensures that even if the victim can restore their systems without caving into the ransom demand, the attackers still have a path to profit by blackmailing the target. Then the attacker threatens to make the stolen data public if a ransom payment is not forthcoming. However, even if the victim pays up, the attacker will still sell the stolen data on the dark web.
Recovering from a Ransomware Attack
Don't panic. While recovering from an attack is easier said than done when a worst-case scenario occurs, keeping a cool head will go a long way toward mitigating the damage. Security teams need to resist the urge to focus entirely on the immediate challenge of getting the company operational again and spare some thought for longer-term activity.
The priority should be to locate the source of the attack and ensure this vulnerability is closed, whether the avenue of access was a compromised user account or an unpatched application. Next, it is essential to track down any remaining malware on the system. Attackers will frequently deploy ransomware through another malware, which remains hidden so the attacker can use it later. Follow-up strikes may occur as much as six months down the line once the victim has lowered their guard.
Threat hunting is one of the most effective ways of searching out well-hidden modular malware. This approach sees a team of skilled security professionals combine their experience and intuition with automated tools to uncover vulnerabilities and attack paths missed by automated scans.
Stopping Ransomware Attacks From Happening (Again)
With thousands of attacks every day, most businesses eventually will be hit, but that doesn't mean each attack must be an unadulterated disaster. On the contrary, reducing the average malware attack to a minor inconvenience is possible with the proper precautions in place.
To reduce the risk, an organization must set up hurdles making it difficult for the attacker and their ransomware every step of the way.
First, deny an attacker easy access by closing off those common attack paths. An organization can accomplish this with a well-managed patching program with priority placed on high-risk applications. Next, implementing strong password processes and credential management solutions will make it harder for attackers to gain control of user accounts. The next element is adding more effective email security, and awareness training will reduce the chances of email-bound threats.
Further steps include configuring and securing the network to stop ransomware from having free rein if it gains entry.
Organizations need to conduct a thorough audit of their entire IT estate to get a clear picture. From here, they can start implementing barriers to slow and stop ransomware and other threats. Network segmentation is useful as it prevents the intruder from easily achieving lateral movement. If an outbreak does occur, it will be contained to a limited area, making it easier to find the source and resolve the threat.
Organizations should implement a least privilege approach, so users only have access to systems they need for their job. This action will significantly reduce the damage that a single compromised account can wreak.
By taking steps now to fortify their IT infrastructure against attacks and slow down those intruders that make it through, organizations can significantly reduce their chances of falling victim to a ransomware attack, whether it's a first strike or greedy criminals coming back around for more.
DATA SHEET
Ransomware Preparedness Service
Ransomware attacks have continued to rise year on year, and it is estimated an attack occurs every 11 seconds, according to Cybersecurity Ventures. The threat of a ransomware attack is a high priority concern for both business and security leaders who are seeking assurance that their organizations have the appropriate controls to detect, respond and recover from a ransomware incident. Trustwave’s Ransomware Preparedness service, unlike many offerings in the market today, doesn’t focus on singular aspects of a client’s security defense but looks at all critical lines of defense
About the Author
Ed Williams is VP, SpiderLabs at Trustwave, with over 10 years of experience directly focused on penetration testing and consultancy for Government and private sector organizations. Follow Ed on LinkedIn.
ABOUT TRUSTWAVE
Trustwave is a globally recognized cybersecurity leader that reduces cyber risk and fortifies organizations against disruptive and damaging cyber threats. Our comprehensive offensive and defensive cybersecurity portfolio detects what others cannot, responds with greater speed and effectiveness, optimizes client investment, and improves security resilience. Learn more about us.